Glozr docs
/

WordPress & WooCommerce

WordPress REST API

The WordPress plugin and Glozr server speak HTTP in both directions. Plugin → Glozr is bearer-authenticated and HMAC-signed on mutations. Glozr → Plugin is HMAC-only. Both sides enforce a 5-minute timestamp window.

Authentication

DirectionCredentialStorageReplay window
Plugin → GlozrBearer token pbar_…SHA-256 hash on server
Plugin → Glozr (mutations)Bearer + HMAC signatureHMAC key is the token plaintext5 min
Glozr → PluginHMAC signature onlyshopper_signing_secret in wp_options5 min

HMAC signature scheme

The signature header format is:

X-Pitchbar-Signature: t=<unix_ts>,v1=<hex_sig>

The signature itself is hmac_sha256(secret, "{t}.{raw_body}"). Both ends reject deliveries whose timestamp drifts by more than 300 seconds and use constant-time comparison to defeat timing attacks.

Glozr endpoints (Plugin → Glozr)

All routes require Authorization: Bearer pbar_… with the wp:integration ability.

POST /api/v1/wp/handshake

Tests the connection and retrieves workspace + agent details. HMAC is not required on this call (it's used to bootstrap the signing secret).

Request body: site URL, plugin version, WooCommerce status, WordPress version.

Response: workspace, available agents, token details, and a fresh shopper_signing_secret (stored plaintext in wp_options).

POST /api/v1/wp/posts/sync

Bulk post/page upsert, up to 50 documents per request. HMAC required.

Fields: wp_id, post_type, permalink, title, content_html, excerpt, content_hash, modified_at, language, taxonomy_terms.

POST /api/v1/wp/products/sync

Bulk WooCommerce product upsert, up to 50 per batch. HMAC required.

Fields: wp_id, sku, name, permalink, image_url, descriptions, pricing, stock status, sale status, categories, attributes.

POST /api/v1/widget/coupon/apply

Called by the embedded widget when the visitor taps Apply on a coupon card. Uses the widget JWT (not the API token) and is throttled at 30 requests/minute per IP.

Plugin endpoints (Glozr → Plugin)

Base URL: {wp_site_url}/wp-json/pitchbar/v1/. Every route verifies the X-Pitchbar-Signature header against the stored shopper_signing_secret.

POST /wp-json/pitchbar/v1/orders/lookup

Looks up a customer's recent WooCommerce orders by user ID or order number.

Response: order ID, number, status, total, currency, items, tracking URL.

POST /wp-json/pitchbar/v1/leads

Creates or updates a WordPress user from a captured lead.

Behavior: existing emails update in place; new emails create a WooCommerce customer when WC is active, otherwise a WordPress subscriber; Glozr conversation and lead IDs are written to user meta for correlation.

POST /wp-json/pitchbar/v1/cart/coupon

Stages a coupon code for application on cart load.

Behavior: validates that the coupon exists, stores it in a 15-minute transient, applies it via the woocommerce_load_cart_from_session hook.

Error response shape

The two sides use slightly different envelopes:

  • Glozr: { "message": "…", "code": "…", "errors": { "field": […] } }
  • Plugin: { "error": { "code": "…", "message": "…" } }

Common status codes

  • 200 — success or ignored no-op.
  • 400 — validation error or invalid coupon.
  • 401 — authentication failure.
  • 403 — insufficient token ability.
  • 404 — resource not found.
  • 429 — rate-limited.

Rate limits

Glozr routes throttle at 60 requests/minute per token. Plugin routes rely on HMAC verification and a 5-second hard timeout to limit abuse.

Note. The header name X-Pitchbar-Signature and REST namespace /wp-json/pitchbar/v1/ are wire-level identifiers shared with the plugin internals. Do not rename them in custom integrations.